RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade

Cantor, Angela T. Wed, 16 Nov 2022 17:28:03 -0800

Thanks to Joey and Chris for responding.

Joey had said
>Jump through the hoop of rebuilding the keystore with the current java
>       I believe this is what we did that made the difference I am not 
> familiar with PKCS11
>       we use Http11Nio2Protocol with PKCS12 for complete chain bundling.


Chris had some questions about my PKCS11 setup, but I'm taking a left turn and 
changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and 
this community seems to know more about it.

So I changed back to using PKCS12.  I recreated the keystore from my key and 
signed cert using openssl and switched to using Http11Nio2Protocol.  Now the 
connector is this:
        <Connector port="8843"
              protocol="org.apache.coyote.http11.Http11Nio2Protocol"
              maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
              server="Apache"
              keyAlias="tomcat9"
              keystorePass="XXXXXXXXXXXXXX" keystoreType="PKCS12"
              keystoreFile="<path>/tomcat9.p12"
              maxHttpHeaderSize="32768"
              sslEnabledProtocols="TLSv1.2"
                 ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                          TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                          TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
              clientAuth="false" sslProtocol="TLSv1.2"/>


This produced the following error:
16-Nov-2022 14:54:58.858 SEVERE [main] 
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to 
initialize component 
[Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]]
   org.apache.catalina.LifecycleException: Protocol handler initialization 
failed
      at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
      at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
      at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
      at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
      at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
      at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
      at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
      at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method)
      at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
      at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.base/java.lang.reflect.Method.invoke(Method.java:568)
      at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
   Caused by: java.lang.IllegalArgumentException: keystore password was 
incorrect
      at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
      at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
      at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145)
      at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
      at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
      at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
      at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
      at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
      ... 13 more
   Caused by: java.io.IOException: keystore password was incorrect
      at 
java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
      at 
java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
      at java.base/java.security.KeyStore.load(KeyStore.java:1473)
      at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67)
      at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
      at 
org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207)
      at 
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
      at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
      at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
      ... 20 more
   Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe 
contents entry: java.security.NoSuchAlgorithmException: Cannot find any 
provider supporting PBEWithSHA1AndDESede
      ... 29 more
16-Nov-2022 14:54:58.860 INFO [main] org.apache.catalina.startup.Catalina.load 
Server initialization in [6240] milliseconds


I am sure I am using the correct password, having created the keystore moments 
before this, so I assume the issue is with PBEWithSHA1AndDESede.  And now I'm 
in over my head...any advice?


Thanks so much,
Angela



-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net> 
Sent: Tuesday, November 15, 2022 21:50
To: users@tomcat.apache.org
Subject: Re: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK 
upgrade

Angela,

On 11/14/22 11:56, Cantor, Angela T. wrote:
> We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version.  Now 
> tomcat won't listen on the desired port.  Something is wonky with it 
> accessing the keystore.  If you all see anything obvious, could you please 
> advise?  Especially if it involves switching to a pkcs12 keystore (which I 
> tried but that also failed - I am no expert on setting up either type so 
> maybe I did something wrong.)  Nothing other than the OpenJDK version seems 
> to matter - if we downgrade it back to 17.0.4.0.8, tomcat once again works 
> fine.  Note that 17.0.4.1.1-2.el8_6 also caused the same problem.
> 
 > [snip]
>                      certificateKeystoreProvider="SunPKCS11-NSS-FIPS"

Could this be the problem? Does your new Java version have that security 
provider available? I have some code which can dump-out the available providers 
if you aren't sure.

>                      certificateKeystoreType="PKCS11"

This also looks weird to me: PKCS11 is an API, not a file type. But maybe you 
have to use this in order to access a keystore via the OpenSSL API? It makes 
some sense since you haven't specified a filename for the keystore. I don't 
have any experience with that. :/

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade

Reply via email to